Common question: What certs should I get?

I recently had a discussion around certifications with one of the people I'm mentoring, and thought it might be worth summarizing here. Certs can often be a polarizing topic in the information security world, so let me preface this post by very clearly stating my opinion about certs:

I believe certs are a great way to get past HR filters or to send certain signals to a hiring manager, but are not necessarily indicative of (or a replacement for) hands-on experience. As a hiring manager certs tell me a few things about a person, namely that they value continuous learning and have the drive to set a goal and follow through.

With that out of the way, let's go over a few of the more popular certifications in the industry.

Entry level

There are several cert options for someone just starting their infosec career, whether you're fresh out of high school or college or just changing career paths. I won't go into a ton of detail here, but I'll link to more information about each one.

These have been industry standard "starter" certs for years now. A+ deals more with computer hardware, Net+ deals with basic networking concepts, and Security+ is a good foundation for basic security topics.

eLearnSecurity is a newer name to the security certification world, but they have a good reputation and their name recognition is growing quickly. The eLearnSecurity Junior Penetration Tester course and certificate provide an intro to networking basics and the fundamentals of penetration testing. The exam is completely practical as well, no multiple choice.

Intermediate

These three are newer and would be good for someone with 2-5 years of experience with networking or security fundamentals. The experience isn't required to become certified, just my personal recommendation.

The CySA+ covers topics you'd encounter in a security analyst role (threat hunting, forensics, incident response, etc.). The CASP+ is more of a generalist cert in the vein of the CISSP or CISM. Pentest+, as the name suggests, covers the basics of penetration testing and vulnerability management.

Pretty much the gold standard networking cert, and opens the pathway to specializations like CCNA Security or Cyber Ops. If you want to go down the networking path or work with at a Cisco shop, this is a good one to have.

Advanced

I consider the following certifications "advanced" for a variety of reasons. Some of them are challenging exams, some are narrowly focused in a field of specialization, and some just require a certain amount of industry experience before you qualify to hold them. Again this is all just my opinion.

If #infosec Twitter is any indicator, people either love the CISSP or hate it. I can say that it definitely pushed me to the next step in my career and has opened several doors that might not have been open for me without it. The test wasn't necessarily difficult, but it is quite long and there is a requirement of five years of experience. The other (ISC)2 certs are either specializations on the CISSP, or more focused study areas.

The CISM is similar in many ways to the CISSP. Both are best viewed as management-oriented. I thought the CISA exam was more challenging than the CISSP, personally, though it is not as broad in subject matter. The CRISC and CGEIT are focused on risk management and IT governance, respectively. All of the ISACA certs have experience requirements.

eLearnSecurity has a large catalog of certifications, and they are all very specialized. They cover topics like reverse engineering, network defense, web application penetration testing, mobile application testing, and more.

I'll probably get some heat for lumping the OSCP in with the other Offensive Security certs, but I put them all in the advanced camp because of the amount of practical, hands-on knowledge you have to demonstrate to earn them.

I won't get into SANS course offerings because a) I have no experience with them and b) they may be cost-prohibitive to many people reading this, but they from what I've heard of them they would fit here in the advanced category as well.

Conclusion

The landscape of IT & Information Security certificates can be overwhelming, but it really comes down to one question: what are you passionate about? There are lots of different ways to work in information security. If you can identify what parts of the field interest you most, it should be simple to map out a path of certificates that can help get you noticed and get you hired.